Ohio University

Protected Health Information

Definition: Protected Health Information (PHI) is defined as individually identifiable health information that relates to the following:

  • Past, present, or future physical or mental health or condition of an individual.
  • Provision of health care to the individual by a covered entity (i.e. hospital or physician).
  • Past, present, or future payment for provision of health care to the individual.

Governing Authority: Health Insurance Portability and Accountability Act (HIPAA)

Responsible Operating Unit: Legal Affairs

Examples: Data elements that when combined with health information about that person, make such information protected health information (PHI): names, telephone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, licenses plate numbers, URLs, full face photographic images, or any other unique identifying number, characteristic, code, or combination that allows identification of an individual.

Special Considerations: Researchers must be aware that health and medical information about research subjects may also be regulated by HIPAA.

Acceptable IT Services & Tools:

  • Qualtrics

Consultation Required:

  • OnBase - With OIT consultation.
  • OneDrive/O365 Groups - Only with OIT consultation and Group setup according to the Storing Sensitive Data within OneDrive Standard.
  • NAS departmental shared storage (shared.ohio.edu) - With OIT consultation to ensure data is encrypted.
  • NAS individual home storage (home.ohio.edu) - With OIT consultation to ensure data is encrypted.

Not Permitted IT Services & Tools:

  • Blackboard
  • OneDrive/O365 individual accounts
  • PeopleSoft
  • Personal cloud accounts
  • Personal/Non-University owned devices

If you don't see the IT service or tool listed that you wish to use to store data classified as medium or high sensitivity, contact Information Security to determine if it's appropriate for your data type.